Mozilla Foundation Security Advisory 2009-21

POST data sent to wrong site when saving web page with embedded frame

Announced

April 21, 2009

Reporter

Paolo Amadini

Impact

Low

Products

Firefox, SeaMonkey

Fixed in

Firefox 3.0.9

SeaMonkey 1.1.17

Description

Developer and Mozilla community member Paolo
Amadini reported that when saving the inner frame of a web
page as a file when the outer page has POST data associated with it,
the POST data will be incorrectly sent to the URL of the inner frame.
This could potentially result in a user's sensitive data being sent to
a site for which it was not intended.